[aerogear-dev] Node.js / Passport.js thoughts (was: Re: OAuth2, OpenID connect and AeroGear)

Lucas Holmquist lholmqui at redhat.com
Mon Nov 3 08:39:13 EST 2014 

> On Nov 3, 2014, at 4:52 AM, Corinne Krych <corinnekrych at gmail.com> wrote:
> 
> 
> On 30 Oct 2014, at 19:13, Lucas Holmquist <lholmqui at redhat.com <mailto:lholmqui at redhat.com>> wrote:
> 
>> 
>>> On Oct 30, 2014, at 9:41 AM, Matthias Wessendorf <matzew at apache.org> wrote:
>>> 
>>> Hello team!
>>> 
>>> On Thu, Oct 9, 2014 at 4:49 AM, Bruno Oliveira <bruno at abstractj.org> wrote:
>>> Note: Not only for Keycloak, but also compatible with other technologies
>>> like passport on Node.js.
>>> 
>>> Great point on being compatible with passport.js! To ensure our OAuth2 client SDKs do work against node.js (w/ passport.js), how about we build a Node.js based version of our "Shoot-n-Share backend" ([1]), that is protected by Passport.js?
>> 
>> So to clear up some confusion that might be happening with what passport is, it is not an OAuth2 server thing.
>> 
>> it’s really just middleware(think of it as a servlet filter for you java weenies) for express.js,  and by using adapters(like a FB or google), it can secure RESTful endpoints in that express.js app.
> 
> So basically you can use passport to secure your endpoint using openId connect (on top of oauth2). you login as google user and your secure your endpoint with google access token. 
> with passport.js you can go the authz code grant way because you store token on server side. Refresh and access token are never stored in browser app.
> Right?
i haven’t played with it yet,  but that is my thought


> 
> On native app we’re doing what passport.js is doing but directly on device… not sure there is anything interesting to demo on native app, it’s more a web or cordova thing. I would say either use key cloak/passport Js for web pure app and corodva app or use corodva native oauth2 plugin.
i have the same feelings,  this is more web related


> 
>> 
>> I think the thing that we can do here is make a keycloack adapter for passport, using the OAuth2 protocol( similar to passports FB and google adapters );
> 
> +1 on keycloak/passport.js integration
> 
>> 
>> 
> 
> As we said passport itself is not an oauth2 provider. You could couple it with KC or
> another interesting integration is OAuth2rize + passport which provides an Oauth2 server. see [1], [2]
> 
> [1] http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/ <http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/>
> [2] https://github.com/jaredhanson/oauth2orize <https://github.com/jaredhanson/oauth2orize>
> 
> I’d love to take a deeper look at this example… wdyt Luke?
go go go!!


> 
>> 
>>> 
>>> It could be a (simple) a 'clone' of our java version. I think for Luke, our Node.js pro, it would be a fairly simple task :)
>>> 
>>> On the client side, the Android/iOS versions of Shoot-n-Share would simply offer a new upload target for Passport.js, instead of 'just' FB, Google-Drive and Keycloak.
>>> 
>>> That way we will also learn how much Passport.js is actually different, similar to what we learned on how Google/FB are different ;-)
>>> 
>>> Another interesting aspect of this is that, once we are ready to release our OAuth2 SDKs, it would be awesome to actually ship a node.js based demo as well, instead of just a Java-based backend demo. That would clearly show, our client libs are working across different backend technologies.
>>> 
>>> Any thoughts?
>>> 
>>> -Matthias
>>> 
>>> 
>>> [1] https://github.com/aerogear/aerogear-backend-cookbook/tree/master/Shoot
>>> 
>>> 
>>> 
>>> In the end, OAuth2 is just a protocol and
>>> should support other servers.
>>> 
>>> - Should we provide examples for OpenID connect? Or abstractions?
>>> 
>>> To track this issue, we have the following Jira[3] and another for
>>> OpenID connect[4]. Fell free to link to your respective project.
>>> 
>>> 
>>> [1] -
>>> http://transcripts.jboss.org/meeting/irc.freenode.org/aerogear/2014/aerogear.2014-10-08-14.00.html
>>> 
>>> [2] - https://gist.github.com/abstractj/04136c6df85cea5f35d1
>>> 
>>> [3] - https://issues.jboss.org/browse/AGSEC-180
>>> 
>>> [4] - https://issues.jboss.org/browse/AGSEC-190
>>> --
>>> 
>>> abstractj
>>> PGP: 0x84DC9914
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>> 
>>> 
>>> 
>>> -- 
>>> Matthias Wessendorf 
>>> 
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>> 
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/aerogear-dev <https://lists.jboss.org/mailman/listinfo/aerogear-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141103/69ceafb7/attachment-0001.html

More information about the aerogear-dev mailing list